The SONY hack is the NSA’s fault, not North Korea’s

New York Times anonymous source notwithstanding, it seems unlikely that North Korea is really responsible for the “Guardians of Peace” hack at SONY. It’s an interesting puzzle who exactly executed the attack, but never mind the facts. Who should we blame?

I say blame the NSA. Here’s why.

The NSA is chartered both to spy on our enemies and to protect ourselves. The offensive* mission traditionally produced espionage operations like ECHELON, while the defensive mission resulted in improved security standards like DES, SHA-1, and SELinux. The defensive mission also produced corporate partnerships to secure our commercial infrastructure.

(Which of these two missions sounds like Security to you?)

The problem is, these two missions are sometimes in conflict with each other. For example, companies around the world use the same networking equipment, so fixing flaws in that equipment helps make the US more secure, but it also makes it harder to spy on companies in enemy countries. Before 9/11, the balance seems to have been relatively stable, but in the Bush administration it shifted radically, as the NSA’s mission shifted from foreign espionage to domestic surveillance, presumably motivated by a desire to discover and monitor all the world’s angry young men. When your mission is to break into American companies’ computer systems inside the USA, there’s not much sense claiming to care about domestic security.

The result was a breakdown of the NSA’s traditional defensive role. Most pointedly, in 2004, the NSA invented and promoted the Dual_EC_DRBG standard, which was later discovered to have a mathematical “back door” that made systems that use it less secure, a stark contrast to the NSA’s previous standards proposals, which improved security.

More broadly, it seems that the NSA has been collecting exploits for widely used computer systems, and not informing the users or manufacturers. It’s like discovering a way to crack your hotel room’s safe, and not telling the hotel or the maker because if they fix the safes, you won’t be able to rob the other guests. This seems like a great strategy until someone else figures out the flaw, and robs you.

That’s what happened to SONY.

The NSA’s annual budget is estimated to be about $11 billion. Try, if you can, to imagine what it would be like if half of that budget were spent on making the computer security of all companies and citizens of the US and our allies better … the other half were not spent on making that security worse.

Half the NSA’s budget is close to the entire budget of the National Science Foundation, which funds about 10,000 different scientific initiatives in the US every year. If that half of the NSA were wholeheartedly devoted to defense, I imagine we would see military-scale red-team efforts to find (and report, and fix!) holes in corporate infrastructure, deep funding of efforts to produce and invent suitable, secure consumer software and hardware, and thousands more things to strengthen our society’s digital infrastructure.

In that world, I don’t think SONY would be getting hacked so easily.

And I think to myself:
“What a wonderful world”

* I think this qualifies as a pun.

Millions March

There have been a series of marches and protests all over the country in the past few weeks, under the banner of “Black Lives Matter”, and yesterday was the biggest one yet. Entitled the “Millions March”, it featured coordinated demonstrations in SFO, NYC, and DC. I attended the event here in New York, not least because I had an old friend from out of town who would be there too.

I wasn’t sure what to wear. It was cold out, and my anarchist uniform was in the wash. I have a tendency to view matters of social justice from an academic and religious perspective, so I put on my most professorial outfit, stuffed a yarmulke in my jacket pocket, and headed to the subway.

I didn’t have the time or forethought to make a sign, although I figured marching with the diverse crowd while wearing a yarmulke sent a pretty good message. Halfway through, a young Jewish woman ran up to me and quickly said something about needing to leave but here have this sign with a familiar phrase on it.

"Justice, Justice you shall pursue" #ThisStopsToday
Millions March Sign

I carried it through the rest of the march. It was popular; a few people even stopped to take pictures with me.

The march was incredibly crowded, and full of chanting, but entirely peaceful. The only disorder I observed was when a group of black-clad anarchists just behind us declined to make one of the turns, and instead dashed across the barrier, out into the city streets … to what end, I know not.

I don’t support all the details of the Millions March organizers’ demands, but I enjoyed the march. I felt like I was working toward a more just society, where irrelevant accidents of birth carry less weight in determining our fates.


I had dinner tonight with a cousin of mine who is a prosecutor. It seemed like a good week to pick a prosecutor’s brains, what with the growing clamor around prosecutorial discretion, now that the grand juries reviewing the evidence against the police responsible for the deaths of Michael Brown and Eric Garner have both declined to indict.

In discussions of these grand juries, a frequent argument has been that the prosecutor was underzealous in their pursuit of an indictment. For example, in Ferguson, some have claimed that the grand jury was a sham because “McCulloch presented evidence both against and in favor of Wilson’s prosecution“.

My cousin pointed out that this claim has embedded within it a subtle intellectual dishonesty. If justice is best served by allowing the grand jury to see all the evidence, then critics are implicitly accusing prosecutors of routinely employing unethical practices when presenting to grand juries, and then in the same breath demanding that the prosecutor continue to employ these unethical alleged practices in the case at hand.

I don’t know the recipe for fair assessment deadly force used by the state, but I think he’s right: that’s not it.

Rogue Agencies

In 2008, the Lashkar-e-Taiba terrorist group staged a highly organized four-day campaign of mass murder in Mumbai, killing 164 people. Lashkar-e-Taiba is supported, if not operationally controlled, by the Pakistan Inter-Services Intelligence Agency (the ISI). India and Pakistan are officially at war, and have been for decades.

In 2001 and 2002, we now know with greater clarity, the US Central Intelligence Agency captured 119 people, subjected them to methods of torture that would shock even a Hollywood screenwriter, and held most of them in prison without trial for the next 10+ years. About a quarter of them were captured entirely by mistake, and had no association with anything of interest. The remainder had some more or less tenuous connection with a disorganized organization that had declared war on the USA, and other nations, for decades.

Perhaps the CIA’s actions are less horrifying than mass murder in broad daylight, but then, their culpability for those actions is complete and unquestioned.

To me, the CIA is as bad as the ISI, and I say to them the same as I said to the NSA when we learned of their astonishing violations:

There Should Be No Such Agency.

You can’t build a coal plant anymore

Lazard Asset Management is some kind of investment bank and consulting firm based in New York City. Every year, among I imagine many other things, they publish a report detailing the cost of producing electricity in the USA by various means. The latest one shows something astonishing: the cost of wind and solar power is now lower than the cost of electricity from coal plants.

For the past few years, the cost of solar photovoltaic panels has been falling rapidly, as process optimizations and economies of scale improve. The question has merely been whether they would keep falling long enough to put the most carbon-intensive electricity sources, like coal, out of business.

Many analysts seemed to think that this would never happen, and argued that much of the perceived decline in prices was illusory, due either to government subsidies or to incorrect pricing models. Solar and wind are not available on-demand; nature decides when you get to make power, which may not be when you need it. As a result, electricity produced in this manner must sometimes be sold when demand is low, leading to lower prices than “dispatchable” energy sources like natural gas turbines.

Lazard’s report computes “levelized” costs, which are subject to this cost modeling problem, so they are somewhat optimistic. However, their calculation is for unsubsidized costs, even though substantial subsidies are available in many places. According to their model, utility-scale solar now costs $60-86 per MWh (and wind costs $37-81), compared to $66-151 for coal, and $61-87 for the most efficient natural gas plants.

If I were in the business of building coal-fired generators or digging coal mines, I would be very concerned. Coal plants take years to build, and decades to recover the construction costs. It seems reasonable to anticipate that renewables will continue to fall in price, driving down the wholesale price of electricity until coal plants operate at negative margin. This has already started to happen in places like South Australia, which had to turn off all its coal plants for one day in September because renewable energy sources were filling all demand with no fuel cost.

It’s hard to pay back the mortgage on your coal plant if, with increasing frequency, it’s not even running. The industry knows this, which is why in 2013 the US installed twice as much new solar generation capacity as coal. That means coal plants are being retired much faster than they are being constructed or expanded.

Coal is dead, and everyone already knows it.

At least the mines might still be useful in a renewable-energy world, for transient energy storage.

Back on

I bicycled to work today, for the first time since the accident. Apart from being passed by all the other cyclists on the path, and a bit more riding on the sidewalk than usual, it was uneventful.

On the way home no one passed me, but that might just be because the bikeway is almost perfectly deserted after dark in December.


For The Record

When trying to set up quassel-core on Debian, you must start the daemon and then run quassel-client on a different machine. Do NOT follow the instructions that tell you to add an account at the command-line using the quasselcore --add-user command. It won’t work.

Just install quassel-client on some other machine and it will somehow auto-detect that you are in first-run mode and let you add the admin user. Yes, this is horribly insecure: whoever connects to the Quassel core first owns it!

Bonus advice: if you’ve run the quasselcore command as root, it’s possible that the quassel-core daemon is now running as root, which means that it might make its database file readable only by root … in which case the daemon will fail to start if it subsequently launches as the proper, isolated user.


A friend of mine is in a band in Brooklyn, and last night I went to go see them at Muchmore’s, a wine, beer, and soju bar whose performance space looks like an oversized living room coated in disturbing, psychedelic, black and white murals.

The opener was a barefoot, ponytailed dude in a suit, with no instruments. He started talking about what he was going to play, what his first song was, etc., and after a few seconds it became clear that, though he was speaking, his mouth was not moving. The intro speech was pre-recorded, as was the rest of the set. Instead, the dude proceeded to perform an ultra-spastic dance routine for each song, a sort of one-man mosh pit, and to mime his way through the recorded speeches between songs.

The music itself seemed like almost-plausible modern sampled dance music, but I took the whole set as a kind of parody of the genre. I was therefore surprised when I looked online and discovered that he has entire actual albums of it.

Then it was time for my friend’s band, PISS-OFF!. Using a variety of fancy electronic music hardware, they screamed a rapid-fire set that was discordant, scatological, insulting, sloppy, incomprehensible, out of tune, and injuriously loud to performer and listener alike.

In this case I think that qualifies as high praise.